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Abstract 

Widespread and extensive use of computers and their interconnections in almost all sectors 
like communications, finance, transportation, military, governance, education, energy etc., they 
have become attractive targets for adversaries to spy, disrupt or steal information by presses of 
keystrokes from any part of the world. This paper presents a survey of major cyberattacks from 
2001 to 2013 and analyzes these attacks to understand the motivation, targets and technique(s) 
employed by the attackers. Observed trends in cyberattacks have also been discussed in the 
paper. 


1 Introduction 

Cyberattacks are computer-to-computer attacks undermining the confidentiality, integrity, and/or 
availability of computers and/or the information they hold[l]. Computer networks have no geo¬ 
graphical borders that need to be crossed for an attacker to steal information. This grants freedom 
to any attacker to pick his target anywhere in the world and carry out a cyberattack. Therefore, se¬ 
curing computer systems is as important as securing physical entities from being attacked. In terms 
of money, Ponemon Institute^] estimated the average cost of cyberattacks to be $11.6 million per 
organization for 2013, which was 26 percent more than 2012. 

Cyberattacks have not only caused losses in billions of dollars[3], but also had psychological 
impact on human psyche. As an example, in August 2004, fear of cyberattacks during Olympic 
games in Greece kept people from attending the Olympic events [4]. With Internet of Things 1 al¬ 
ready here, securing computer networks and end devices becomes a paramount concern to prevent 
cyberattacks from disrupting and hijacking them for malicious purposes. Hence, it imperative and 
necessary to understand the motivations, attack vectors and weaknesses exploited by past cyberat¬ 
tacks. Lessons must be learned from past experiences to improve upon all aspects necessary for 
defending against cyberattacks in future. 

1 http://en.wikipedia.org/wiki/Internet_of_Things 
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This paper covers major cyberattacks starting from 2001 till 2013. The scope of this paper 
is limited to cyberattacks that caused significant monetary losses, threatened critical infrastructure 
or national security, had potential to cause loss of life and damage to physical property or involved 
data-leaks exposing personal information of users. This paper also covers cyber-espionage cam¬ 
paigns and cyberattacks with political motivations or agenda as well as some acts of hacktivism. It 
then examines the trend in attack methodology, frequency, motivation behind the attacks, damage 
caused, attribution and if any lessons were learned from past cyberattacks to improve security of 
computer systems. 

(The source of the cyberattacks have been mentioned when the attackers were identified 
or suspected. In attacks where the source was unknown, we omit mentioning this fact explicitly 
throughout the text of this paper. The term attack(s) will be used interchangeably with cyberat- 
tack(s), unless explicitly mentioned otherwise.) 


2 Revisiting past Cyberattacks 

This sections surveys past cyberattacks to put the facts together and help support the analysis and 
uncover trends. Looking at each attack in isolation only provides limited information, however, 
cyberattacks can also be related to one another and therefore, can provide a lot more understanding 
when analyzed together. 

This paper classifies cyberattacks based on their targeting, i.e. undirected or directed/targeted. 
Undirected cyberattacks are not directed towards a specific target but attack any vulnerable host. 
Directed/targeted attacks are carried out against specific targets and are designed to exploit specific 
weaknesses of the targeted systems. 

2.1 Undirected Cyberattacks 

The first undirected attack within the scope of this paper was the Anna Kournikova virus identi¬ 
fied in February, 2001 [5]. It exploited multiple vulnerabilities in Windows operating system and 
Microsoft Outlook to spread to other systems[6]. Dutch programmer Jan de Wit created the virus 
to see if lessons were learned from the ILOVEYOU[7] virus from last year[8]. In July 2001, 
self-propagating Code Red worm[9] infected 359,000 computers in less than 14 hours by exploit¬ 
ing a buffer overflow vulnerability in Microsoft IIS Server, disrupting hosted websites[10]. The 
estimated losses were put close to $2.6 billion[l 1], 

In January 2003, Slammer worm wrecked havoc on the Internet by flooding networks with 
queries causing the routers to collapse[12]. Slammer worm also exploited a buffer overflow bug in 
Microsoft SQL Server[13], for which a patch was already available 6 months before the worm was 
launched. Same year in August, Blaster worm infected more than 48,000 computers worldwide 
and caused a distributed denial-of-service(DDoS) attack on windowsupdate.com[14]. Author of 
the Blaster worm, Jeffrey Lee Parson[15], exploited vulnerabilities in the Microsoft Remote Pro¬ 
cedure Call Interface to infect vulnerable hosts[16] even though patches were released a month 
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before the attack. Also in August 2003, Sober email worm[17] was used to send political spam[18] 
and in 2005, its variants were circulated with fake emails impersonating the FBI and the CIA[19]. 

In 2004, My doom worm[20] caused an estimated loss of $38.5 billion[21]. Believed to have 
originated in Russia[22], the worm infected more than 500,000 machines and was sent out as 
email attachments [21], with later version exploiting a zero-day vulnerability in Internet Explorer 
browser[23]. Sasser worm[24] disrupted services of many companies in 2004[25], that claimed 
losses totaling $155,000 in civil lawsuits[26]. Sasser exploited a known buffer overflow vul¬ 
nerability in Microsoft’s Local Security Authority Subsystem Service[27] and was attributed to 
Sven Jaschan[25]. Just before the Christmas holidays of 2004, Santy worm was seen using search 
engines to find servers running vulnerable phpBB software and was able to deface over 40,000 
websites[28, 29]. 

In August 2005, with monetary benefit being the primary motive, Farid Essebar and Atilla 
Ekici[30] launched the Zotob worm[31] that exploited known vulnerabilities in Windows 2000 
operating system[32]. Zotob slowed down computers of more than 100 companies causing them 
to continually crash and reboot while also opening a backdoor[33]. The worm caused an estimated 
average loss of $97,000 and 80 hours of cleanup per affected company [34], 

In November 2008, Conficker worm was detected exploiting a vulnerability present in multi¬ 
ple Microsoft operating systems that allowed arbitrary remote code execution, for which Microsoft 
had issued a critical security bulletin on 23 rd October, 2008[35]. Conficker infected 11 million 
hosts globally[36] with an estimated economic cost of $9.1 billion[37]. Conficker is believed to 
have originated in Ukraine[38]. 

Undirected cyberattacks, exploiting vulnerabilities in widely deployed software, remain to 
be major threats. Heart Bleed vulnerability is a recent witness[39, 40]. 


2.2 Targeted/Directed Cyberattacks 

Targeted cyberattacks have been further categorized according to their targets and potential motivations. 

2.2.1 Cyberattacks directed towards Nations 

Cyberattacks have targeted nations by specifically going after targets within a particular nation and 
disrupting normal operations of computers and networks. 

The US-China spy plane incident in April, 2001 led to a month long online battle between 
US and Chinese hackers, both causing defacements and posting messages on government related 
websites while accusing each other of the incidental], 

April 2007 witnessed the first series of cyberattacks targeting a particular nation, Estonia[42]. 
Botnets from all around the world were directed towards Estonia in a Distributed Denial-of- 
Service(DDoS) attack and also posted messages on various defaced websites. The main targets 
were the websites of Estonian President and parliament, government ministries, political parties, 
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news organizations, the two biggest banks and telecommunication firms[42]. Consequently, Es¬ 
tonia had to cut off its networks from the outside internet to protect against these attacks. Only 
one bank reported an estimated loss of 1 million dollars[43]. The attacks were seen as patriotic 
response and blunt payback from Russia against the Estonian government’s decision to relocate 
the statue of Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves 
in Tallinn. Some reports alleged Russian government involvement, given the money and technical 
skills required to carry out such a sophisticated and co-ordinated attack on a country [44, 45]. Other 
experts doubted Russian involvement[46][47]. In 2009, a Kremlin-backed youth group claimed to 
have carried out these cyberattacks[48]. 

In September 2007, Israel disrupted Syrian air defense systems during Operation Orchard 
allowing Israeli F-15s and F-16s to enter Syrian airspace without detection[49, 50]. 

August 2008, Georgia suffered massive DDoS attacks and traffic re-routing that crippled 
its limited Internet infrastructure^ 1, 52]. The attacks started before the beginning of conven¬ 
tional war between Russia and Georgia and continued alongside the military engagement. Georgia 
blamed Russia for the cyberattacks, though the attacks originated from infected computers in var¬ 
ious countries[53]. 

In January 2009, Israeli websites belonging to small companies and government bodies in¬ 
cluding the Israeli Defense Forces and the Israel Discount Bank were targeted with DDoS attacks 
and defacements in protest and retaliation to Israeli military attacks on Gaza[54]. Israel suspected 
former Soviet Union hackers, paid by Hamas or Hezbollah, for carrying out the attacks[55]. In 
July 2009, DDoS attacks were directed at major government, news media, and financial websites 
in South Korea and the US [56, 57]. South Korea, where some websites suffered outages for days, 
blamed the North Korean telecommunications ministry for the attacks[58]. 

In October 2012, DDoS attacks on Iran slowed down the Internet throughout the country[59]. 

2.2.2 Cyberattacks threatening National Security 

Government organizations and personnel, military networks, defense contractors and other entities 
tied to national security have been targets of various cyberattacks worldwide aimed at getting 
sensitive information on military, political, economic, strategic and government. 

Beginning in 2003, several US government agencies, including the departments of State, 
Energy and Homeland Security, NASA, as well as defense contractors were targeted by a series 
of coordinated cyberattacks [60, 61]. The attacks, code named Titan Rain, breached hundreds of 
unclassified networks siphoning off any available information. In August 2005, SANS Institute 
revealed that the attacks originated in Chinese province of Guangdong [62]. 

In May 2006, hackers targeted US State Department’s headquarters and offices dealing with 
Asia, breaching the unclassified network[63]. The attacks exploited a zero-day vulnerability in 
Microsoft operating system and the malware exploit was delivered via phishing emails[64]. Sensi¬ 
tive information including passwords were believed to have been stolen. [63, 65]. In August 2006, 
Maj. Gen. William Ford publicly stated that 10 to 20 terabytes of data has been downloaded by 
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China from NIPRNet[66]. Also in 2006, spyware was found on computer systems of classified 
departments at China’s China Aerospace Science & Industry Corporation[67]. 

In June 2007, cyberattacks originating in China targeted the US Department of Defense[68]. 
Spoofed email with recognizable names and malicious code was sent to the office of the Secretary 
of Defense. The malicious code exploited a known vulnerability in Microsoft Windows operating 
system. Sensitive information accessible from the network, like user IDs and passwords that al¬ 
lowed access to the entire unclassified network[69, 70], was exfiltrated, causing 1,500 computers 
to be taken offline[71]. In October, China accused foreign hackers from Taiwan and the US for 
stealing information, without providing any other details[67]. In November 2007, about 1,100 em¬ 
ployees of nuclear arms lab at Oak Ridge National Laboratory were targeted with phishing emails 
with attached malware, originating at Internet and web addresses located in China. The attackers 
were able to obtain visitor information to the lab since 1990[72]. 

During the summer of 2008, the databases of Republican and Democratic presidential cam¬ 
paigns containing sensitive internal documents and private data were copied in a cyberattack[73]. 
The attacks were traced back to China by US intelligence agencies [74], In November 2008, clas¬ 
sified and unclassified networks of US Department of Defense and US Central Command were 
hacked because of a SillyFDC malware variant which was delivered via an infected USB stick at a 
base in Middle-East[75, 76]. 

In 2009, Conficker worm infection grounded French fighter planes[77] and computers on 
board Royal Navy warships and submarines were also affected[78]. In March 2009, a global cyber¬ 
espionage network named GhostNet was revealed, which exploited a known vulnerability in Adobe 
PDF reader[79]. GhostNet spied on multiple high-value targets l ik e ministries of foreign affairs, 
embassies etc. in 103 countries, international organizations, news media and NGOs[80]. Most 
attacks under GhostNet originated in China, though involvement of the Chinese government was 
not ascertained[81]. In April 2009, hackers stole terabytes of data related to design and electronics 
systems of the F-35 Fightning II fighter jet. The sensitive data was encrypted before exfiltration to 
sources in China, making it impossible to determine precisely what information was stolen[82]. 

In April 2010, computer systems of the Indian Defense Ministry and Indian embassies in 
various countries were compromised[83]. Attacks stole classified information including designs of 
weapon systems, internal security assessments of sensitive regions and emails from Dalai Fama’s 
office[84]. The attacks were traced back to China[85, 83]. 

In April 2011, within a month of the RSA breach[86], the stolen SecurlD tokens were 
used to hack defense contractor F-3 Communications for theft of sensitive information[87]. In 
May, Fockheed Martin[88, 89] as well as Northrop Grumman[90, 86] were targeted in a cyber¬ 
attack using the stolen RSA SecurlD tokens, though the attacks were thwarted. In July 2011, 
unknown attackers breached Pentagon networks stealing 24,000 files, with the exact damage being 
undisclosed[91, 92]. In August 2011, operation Shady Rat was revealed to have been attacking 
70 corporations and government organizations in the US since mid-2006 and other international 
targets[93, 94]. This cyber-espionage campaign employed spear-phishing with attached files con¬ 
taining malware that exploited a known vulnerability in Microsoft Excel to open a backdoor[95]. 
In October 2011, 2 US satellites were interfered with for few minutes, allegedly by attackers from 
China[96]. 
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In September 2012, the White House became a victim of spear-phishing attacks allegedly 
carried out by hackers in China[97]. In December 2012, computer networks of Indian government 
were breached, compromising 10,000 email accounts of top government officials and information 
on troop deployment[98]. 

In February 2013, a US government report revealed that 23 US gas companies were targeted 
by cyberattacks that stole potentially security-sensitive information[99]. In May, infiltration of sys¬ 
tems at defense contractor QinetiQ by Chinese hackers was discovered. The attackers were in the 
system since 2007 because of a known security flaw resulting in the compromise and exfiltration 
of most of the company’s research[100]. Also in May, a report by the Defense Science Board re¬ 
ported that designs of US defense systems including the Patriot missile system (PAC-3), Terminal 
High Altitude Area Defense and Navy’s Aegis ballistic-missile defense system had been compro¬ 
mised by persistent, highly-sophisticated cyberattacks carried out by China[101]. In August 2013, 
hackers gained access to personal information, social security numbers and payroll information 
of 14,000 current and former employees at the US Department of Energy[102]. In September 
2013, Operation Kimsuky was revealed to be spying and stealing information from South Korean 
think-tank organizations using malware, delivered via a spear-phishing campaign. North Korea 
was blamed for the targeted attack as the malware specifically disabled a particular South Korean 
antivirus [103]. 

2.2.3 Cyberattacks on Companies and Organizations 

Cyberattacks discussed in this section targeted organizations in banking, finance, oil and energy, 
communications, technology, news media, retail sectors and other private enterprises. 

In January 2001, Microsoft websites were targeted with a DDoS attack for a day due to poor 
configuration of the network[104]. 

In 2004, hosts infected with the Mydoom worm were used in DDoS attacks on Google, 
Microsoft and other companies [105]. 

In January 2007, retail giant TJX suffered a targeted hack due to poor security of their WiFi 
network that allowed sniffing of information[106] on 45.7 million accounts including credit and 
debit card numbers[107, 108]. Albert Gonzalez was convicted and sentenced to 20 years in prison 
for being the primary hacker[109] in the attack that costed $4.5 billion[l 10]. 

During the summer of 2008, 3 US oil companies were targeted with phishing emails con¬ 
taining links to spyware to infect their systems. Attackers stole data on discoveries of new oil 
deposits, e-mails, passwords and other information related to executives who had access to propri¬ 
etary exploration and discovery information[lll, 112]. China’s involvement was suspected in the 
attacksflll]. 

In December 2009, Citibank lost tens of millions of dollars to a cyberattack, which it denied[l 13, 
114]. Hackers used spyware keylogger in one of the publicly known incidents to gain access to 
user account[115]. Source IPs used in the attacks had been linked to Russian Business Network 
hacking group in the past[ 116]. 


6 


In January 2010, Google announced that it has been targeted by sophisticated cyberattacks 
that compromised various user accounts[117]. At least 34 other companies including Yahoo, 
Symantec, Adobe, Northrop Grumman and Dow Chemical were hit by similar attacks, named 
Operation Aurora. The attacks exploited a zero day vulnerability and other known vulnerabilities 
in Microsoft Internet Explorer and used spear-phishing to deliver malware for stealing data from 
targeted companies[118, 119, 120]. Earlier reports [118, 119] mentioned that a zero-day vulner¬ 
ability in Adobe Reader might have been exploited, but no conclusive evidence was found[121]. 
In October 2010, it was reported that hanks in the US lost over $12 million to hackers who used 
Zeus trojan to infect computers via phishing emails and recorded keystrokes to steal bank account 
credentials[122]. 100 people were charged as suspects. [123]. 

In March 2011, Epsilon suffered a data breach due malware delivered via spear-phishing 
campaign[124, 125, 126]. The breach cost $225 million in damages plus additional costs to clients 
with the total running in billions [127]. Also in March, security firm RSA suffered a massive breach 
in its network[86] due to malware exploiting a zero-day and an existing Adobe Flash vulnerability 
to install a backdoor[128]. Source code of company’s SecurlD two-factor authentication product 
was stolen[129] with resulting cost of $66 million for replacing the SecurlD tokens [130]. In April 
2011, malware introduced months ago caused a three-day service outage at Nonghyup agricultural 
bank in South Korea[131, 132]. North Korea was blamed for the disruption that prevented 300 mil¬ 
lion bank customers from using bank ATM’s and credit cards[132]. In April 2011, Sony Playstation 
Network lost personal information of about 77 million users, including credit card numbers which 
were stored unencrypted costing Sony $171 million[133, 134, 135, 136]. During May-June 2011, 
Sony BMG lost billions of dollars[137] after it was hacked due to SQL-injection by hacker group 
LulzSec that posted plaintext data of 50,000 users online to expose weaknesses in the company’s 
security[138, 139] In May 2011, 360,083 credit card account details were stolen in a data breach 
at Citigroup Inc. [140, 141]. The hack exploited insecure direct object reference, SQL-injection 
and XSS vulnerabilities [142]. Attackers stole $2.7 million[143] and it cost additional $77 mil¬ 
lion to the company[144]. During October 2011, multiple chemical and defense sector companies 
worldwide came under “Nitro-attacks” allegedly carried out by China[145, 146]. Phishing emails 
with attached malware and remote administration tools were used in these cyberattacks [146]. In 
June 2011, International Monetary Fund suffered a cyberattack aimed at stealing confidential in¬ 
formation using spear-phishing to install malware. The exact damage caused by the attack remains 
undisclosed[147, 148]. In November 2011, a cyberattack employing phishing on Norway’s oil, gas 
and energy systems stole industrial drawings, industrial secrets and user credentials [149]. 

In January 2012, Zappos lost the data of 24 million customers including emails, phone num¬ 
bers and billing addresses[150]. Reported in June 2012, Gmail accounts of various users were 
hijacked by unknown state-sponsored attackers that exploited a zero-day vulnerability in Internet 
Explorer allowing remote code execution[151, 152]. In September 2012, an industrial espionage 
campaign called The Mirage Campaign as it used Mirage remote exploit tool, targeted comput¬ 
ers with IP addresses owned by oil, energy and military organizations primarily in Taiwan or the 
Philippines, with some IPs located in Nigeria, Brazil, Israel, Canada and Egypt[153]. 

In February 2013, water-holing cyberattacks exploiting a zero-day vulnerability in Java tar¬ 
geted Facebook, Apple and Microsoft[154, 155, 156]. The zero-day exploit was used to au¬ 
tomatically download malware. In March, a virus from phishing emails caused sudden shut- 
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down of 2 South Korean banks and 3 TV broadcasters, severely affecting broadcasting and ATM 
services[157]. Also in March, TeamSpy espionage operation was discovered changing Team Viewer’s 2 
DLL files to spy and control targeted computers. The list of victims included high profile indus¬ 
trial, research and diplomatic targets in Hungary and Embassy of NATO/EU state in Russia[158]. 
The Reserve Bank of Australia was also hacked in March and malware was installed to gather 
intelligence on sensitive G20 negotiations[159]. The exact extent of damage remains undisclosed, 
with China being the alleged attacker[159]. In April, Japan’s Goo and Yahoo Internet portals were 
hacked. 100,000 records of user data including financial details like credit card numbers were 
leaked from Goo. [160]. In July 2013, a Ubisoft website was hacked exposing user emails and 
passwords[161], potentially affecting up to 58 million accounts[162]. JPMorgan Chase bank also 
suffered a massive data breach in July 2013. 465,000 holders of bank’s prepaid cash cards had their 
personal information accessed by the attackers[163]. In November 2013, Ireland-based Loyalty 
Build lost 376,000 credit card numbers and personal information of 1.12 million customers[164]. 

In December 2013, retail chain Target suffered a massive network breach[165]. Attackers installed 
memory-scraping malware on point-of-sale (POS) devices by gaining entry access to the network 
using stolen credentials from HVAC service[166, 167]. Personal information of up to 70 million 
people and information on 40 million credit and debit card accounts was compromised. The re¬ 
ported cost of the breach was $148 million[168]. In December 2013, Chinese hackers spied on 
computers of G20 members from Europe before the G20 meeting [169]. Hackers employed spear¬ 
phishing for infecting the targets with malware to gather intelligence on summit negotiations. 

2.2.4 Cyberattacks on Critical Infrastructure 

Critical infrastructure 3 is an attractive target for cyberattacks, given its importance in sustaining 
normal daily operations. Vulnerabilities in computers supporting critical infrastructure can be 
equally exploited by cyberattacks as in any other vulnerable system. 

In 2003, Slammer worm disabled the safety monitoring system at Ohio nuclear plant for 5 
hours[170]. In 2004, two Romanian hackers penetrated the network of National Science Founda¬ 
tion’s Amundsen-Scott South Pole Station and gained control of the critical life support system, 
potentially endangering the lives of 58 scientists and contractors[171]. 

In May 2009, FAA’s Air-Traffic Network, used to guide and control civilian air traffic is the 
US, was hacked multiple times because of known vulnerabilities in the system[172, 173]. 

In June 2010, a highly-sophisticated and targeted cyberattack disrupted centrifuges at Iran’s 
Natanz Uranium enrichment plant[174]. The virus, called Stuxnet , exploited 4 zero-day vulnera¬ 
bilities in Windows operating system[175]. Given the sophistication and complexity of targeting 
a specific system, Stuxnet was believed to have been created by Israel and the US to disrupt Iran’s 
nuclear ambitions [176, 177, 178]. 

In October 2011, a malware with similarities to Stuxnet known as Duqu was discovered[179, 
180]. Duqu created back doors which could be exploited to destroy the network at an arbitrary 

2 http://www.team viewer.com/en/index.aspx 

3 http://www.dhs.gov/what-critical-infrastructure 
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time and also had a keylogger built in to it. A zero-day vulnerability was exploited to distribute 
Duqu trojan[181]. A month later, Iran admitted that its nuclear sites had been hit by Duqu[ 182]. 
In December 2011, cyberattacks on Northwest rail company disrupted railway signals for two 
days [183]. 

In May 2012, Flame malware allegedly created by Israel and the US, aimed at slowing down 
Iran’s ability to develop a nuclear weapon was discovered[184, 185]. Flame exploited existing 
bugs and a zero-day vulnerability in Windows operating system[185, 186] to infect systems in 
Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle 
East and North Africa two years ago[187]. In August 2012, oil producer Saudi Aramco was tar¬ 
geted with Shamoon malware to disrupt oil production[188, 189]. The malware infected 30,000 
workstations without disrupting any production. Cutting Sword of Justice claimed responsibility 
for the attack[189], though it was attributed to unknown nation-state actor[190]. 

In May 2013, it was revealed that unauthorized access to databases of National Inventory of 
Dams allowed attackers to get their hands on sensitive information[191, 192]. In the same month, 
Israel stated that it had prevented cyberattacks from Syrian Electronic Army targeting computers 
of water systems for city of Haifa[193]. 

2.2.5 Hacktivism 4 

Cyberspace has also come under attacks motivated by hactivism leading to disruptions and losses 
in certain cases. Attacks that caused widespread disruptions have only been mentioned here. 

In November 2010, hacker group Anonymous[ 194] under Operation Payback launched tar¬ 
geted DDoS attacks on financial organizations like VISA, MasterCard, PayPal etc. in protest and 
retaliation to the suspension of W ikiL eaks accounts[195, 196]. 

In June 2011, Anonymous hacked defense contractor Booz Allen Hamilton to publicly hu¬ 
miliate companies and agencies that fail to protect employee and consumer data[197]. The attacks 
were carried out using SQL-injection leaking encrypted passwords and 53,000 .mil email addresses 
online[198, 199]. 

In February 2013, Bank of America suffered cyberattacks from Anonymous with the group 
claiming that the attacks were in retaliation to bank’s online intelligence gathering operation on 
hacktivists[200]. Poor security mechanism caused over 6 GB of data to be leaked, including source 
code for OpenCalais and salary, bonus details of hundred of thousands of executives and employees 
of various corporations from all around the world[200]. 

2.2.6 Global Cyber-espionage Campaigns 

In October 2011, it was reported that 760 organizations worldwide have been under attack by a 
cyber-espionage campaign stealing sensitive information[201]. 

4 http://dictionary.reference.com/browse/hacktivism 
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In January 2013, another global malware campaign, called Red October was exposed and 
is believed to have been active since May 2007 [202]. The campaign exploited vulnerabilities in 
Java, Microsoft Execl and Word softwares for stealing information from governments, embassies, 
research institutions, organization in trade and commerce, nuclear/energy research, oil and gas, 
aerospace and military sectors[203, 202]. 

In June 2013, cyber-espionage campaign named NetTraveler, allegedly by China, was dis¬ 
covered with victims across multiple sectors including government institutions, embassies, oil and 
gas industry, research institutes, military contractors and activists in 40 countries [204]. 

In September 2013, another cyber-espionage campaign, Operation IceFrog, was revealed. 
It had attacked military, shipbuilding, maritime operations, research companies, telecom opera¬ 
tors, satellite operators, mass media and television organizations in South Korea and Japan. The 
malware exploited known vulnerabilities and hijacked sensitive documents and credentials for ac¬ 
cessing internal networks [205]. 


3 Analysis of Cyberattacks 

This section provides an analysis of surveyed cyberattacks from various perspectives. Figure 1 
shows the numbers of attacks and their targeted sectors over the years. The increasing trend in 
number of cyberattacks can be attributed to adoption of computers in more and more operations and 
tasks across all sectors. Figure 3 sums up the motivation behind various cyberattacks. Techniques 
and exploits used by the attackers for cyberattacks have been summarized in Figure 2. 

Undirected cyberattacks have subsided while targeted attacks have increased and diversified 
with respect to targeting. Cyberattacks on critical infrastructure2.2.4 and national security2.2.2 
establishments have shown an increasing trend. This should be a major concern for countries 
who rely on computers and their interconnections for storing sensitive information and proper 
functioning of critical infrastructure. A continued, sophisticated cyberattack can severely cripple 
a nation by targeting its critical infrastructure. Private sector companies and organizations have 
also seen a steady rise in the number of cyberattacks. Governmental organizations as well have 
fallen prey to well organized and sophisticated adversaries which are going after information, both 
classified and unclassified, and using the stolen information in future cyberattacks. The attack 
strategies provide a much more vivid picture to support the argument. 

Figure 2 shows that most widespread attacks like Slammer and Blaster worm[12, 14] and 
sophisticated global cyber-espionage campaigns mentioned in 2.2.6 and many other cyberattacks 
exploited already known vulnerabilities with patches already available for most of them. Next 
to known vulnerabilities, poor or compromised security mechanisms paved way for successful 
cyberattacks. For example, in the cases of Sony[134] and Target[167] breaches, poor security was 
responsible for the attacks. Compromised security due to attack on RSA[129] allowed attacks 
on Fockheed Martin and Northrop Grumman[89, 90] in 2011. Phishing/Spear-phishing was the 
most common mechanism used to deliver malware that exploited vulnerabilities in the system. 
Information stolen from non-classified sources[60, 61, 63, 75] was most likely used in the phishing 
attacks mentioned in 2.2.2. Distributed denial-of-service attacks remain a popular technique for 
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Figure 1: Sectors affected by Cyberattacks 


disruption of services evident from attacks on Estonia[44] etc., though the damage caused by them 
is minimal as compared to other cyberattacks. Zero-day exploits have also surfaced in sophisticated 
cyber attacks like Stuxnet[174]. Defending against such attacks is harder, though, measures can be 
taken be prevent introduction of malware in the system by limiting access and preventing common 
delivery mechanisms like spear-phishing. Also, exact details of many cyberattacks on companies, 
governments and other organizations are not disclosed publicly due to security concerns. However, 
sharing the details can help in developing better security mechanisms and defenses. 

Understanding the motivation behind cyberattacks can shed light on the likelihood of a com¬ 
puter system to be targeted by a cyberattack. Data theft shows up as the biggest motivation be¬ 
hind cyberattacks, going after user information, credit card numbers, sensitive information like 
industrial secrets, corporate access credentials, banking information etc. This indicates that any 
computer system storing such data is a potential target and therefore, must be secured against all 
known vulnerabilities and exploits. After data-theft, cyber-espionage was the primary motive be¬ 
hind majority of cyberattacks including cyber-espionage campaigns [See 2.2.6] aimed at spying, 
economic-espionage, industrial-espionage etc. The persistence of these cyberattacks calls for se¬ 
curing all entities in the system to prevent any weak link in the security chain, which also includes 
the human user. 

Disruption of services and networks by DDoS attacks has also motivated many cyberattacks 
on nation-specific targets [See. 2.2.1]. Cyberattacks on Estonia and South Korea[132] should be 
taken as warnings for future attacks aimed at disruption of services, as they pose threat to stability 
of daily activities as well as financial losses due to downtime. Hactivism can be seen as an emerg¬ 
ing threat to computer systems, even though they have been vastly limited to DDoS attacks and 
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Figure 2: Exploits/Techniques employed in Cyberattacks 


defacements, the cost of attacks to the targets can be significant[206]. Criminals have also resorted 
to cyberattacks, stealing money being one the motives. The number of attacks directly aimed at 
stealing money remains low as theft of financial information has been covered as data-theft. A 
rising motivation behind cyber-attacks is to supplement conventional warfare. Cyberattacks on 
Georgia[51] and use of cyber-offensive capability used by Israel during a military operation[49] 
are among the known incidents to have supplemented conventional warfare with attacks in cyber 
domain. With sophisticated defense technologies relying heavily on computers systems, protecting 
those systems against cyberattacks will be paramount in future conflicts. 


4 Conclusion 

Increasing trend in the number of cyberattacks will continue as more systems get connected to the 
Internet. Protecting these systems against cyberattacks to ensure normal operation will be the key 
to minimize disruptions and losses in terms of data, money and time. Majority of cyberattacks we 
discussed could have been prevented had the systems been kept up-to-date with latest patches. And 
yet, attacks exploiting known vulnerabilities are not subsiding. This shows that valuable lessons are 
not being learned from past experiences. Same is the story with attacks employing spear-phishing, 
which is known to have caused tremendous amount of damage in both classified and unclassified 
domain. 

Attributing cyberattacks based on technical evidence is also hard due to the very basic struc- 
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ture of the Internet that allows redirection, proxying and spoofing of the source. Alleged sources of 
most of the cyberattacks described were not based on technical evidence but derived from events in 
non-cyber world. Therefore, a counter-offensive in response to a cyberattack may not be a feasible 
option at all and defending the systems in the first place becomes more important. 

With increasing adoption of technology and connections of smart devices with the Internet, 
security of future systems must be considered as an integral part of the system design rather than 
it being an afterthought. Lack of security in such systems will not only worsen the known conse¬ 
quences but will have far more damaging effects on the society. Learning from past experiences 
and designing better systems in future can help in changing the trend of increasing cyberattacks. 
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